Menu
This question is similar to this, but that one only references MD5 collision demos.
Are there any actual SHA1 collision pairs of arbitrary messages known so far ?
I'd like to use these to test how various software products (my own one and some third party) deal with it.
Doing some Google searches only turned up the oh-so prominent MD5 / SHA0 collisions and some hints on an approach to creating SHA1 collisions but I could not get my hands on any examples.
209
SHA-1 collision attacksIn a cryptographic hash function, collisions should in theory be not significantly faster to find than in a brute force attack. Such a brute-force attack is based on the birthday paradox, and it would require expected 2^80 computations to produce a SHA-1 collision.
“We note that classical collisions and chosen-prefix collisions do not threaten all usages of SHA-1." There are several potential scenarios in which the new collision could be implemented in an attack, the most likely of which is someone impersonating another user by creating an identical PGP key.
In their paper, Leurent and Peyrin put the theoretical cost at $11,000 for a SHA-1 collision and $45,000 for a chosen-prefix collision. To actually carry out their attack required two months of computation time using 900 Nvidia GTX 1060 GPUs.
In order to prevent this attack from active use, we've added protections for Gmail and GSuite users that detects our PDF collision technique. Furthermore, we are providing a free detection system to the public. You can find more details about the SHA-1 attack and detailed research outlining our techniques here.
As of February 23rd 2017 this answer is no longer accurate.
For more than six years, the SHA1 cryptographic hash function underpinning Internet security has been at death's door. Now it's officially dead, thanks to the submission of the first known instance of a fatal exploit known as a "collision."
There is no known collision for SHA-1 yet. Right now:
There was an effort to obtain a SHA-1 collision by harnessing power from whoever had some spare CPU clock cycles to donate, with the BOINC framework to organize the whole thing, but there were not enough volunteers and the effort was abandoned last year. Hence no actual SHA-1 collision yet.
Theoretical attacks rely on some assumptions which may prove to be slightly false; for instance, the attack on MD5 is actually a bit faster than expected (at some point there is a property which must be fulfilled, with a theoretical probability of 2-28, but in practice it is more like 2-27.7, i.e. the attack is 20% faster than predicted). It is still considered that the theoretical attack is correct and the complexity "rather accurate".
114
The first known collision has now been published at https://shattered.it/
$ curl -sSO https://shattered.it/static/shattered-1.pdf $ curl -sSO https://shattered.it/static/shattered-2.pdf $ sha1sum *.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-1.pdf 38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-2.pdf $ sha256sum *.pdf 2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0 shattered-1.pdf d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff shattered-2.pdf If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
